Connect with us

Hi, what are you looking for?


Endpoint Security

Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems

Driver vulnerabilities can facilitate attacks on ATMs, point-of-sale (PoS) systems and other devices, firmware security company Eclypsium warned on Monday.

Driver vulnerabilities can facilitate attacks on ATMs, point-of-sale (PoS) systems and other devices, firmware security company Eclypsium warned on Monday.

Eclypsium last year analyzed device drivers from major vendors and found that over 40 drivers made by 20 companies contained serious vulnerabilities that could be exploited to deploy persistent malware.

The firm now warns that the Windows drivers used in ATMs and PoS devices can be highly useful to threat actors targeting these types of systems.Device driver vulnerabilities

A significant number of ATM malware families emerged over the past years, including the ones known as Skimer, Alice, CUTLET MAKER, Ploutus, Tyupkin, ATMJackpot, Suceful, RIPPER, WinPot, PRILEX, ATMii and GreenDispenser. Many of these pieces of malware allow their operators to conduct so-called “jackpotting” attacks, where the attacker instructs the targeted ATM to dispense cash.

According to Eclypsium, vulnerabilities affecting the drivers running on ATMs or PoS devices could allow attackers to escalate privileges and gain “deeper access” into the targeted system.

“By taking advantage of the functionality in insecure drivers, attackers or their malware can gain new privileges, access information, and ultimately steal money or customer data,” Eclypsium explained.

As an example, the security firm described a vulnerability found by its researchers in a driver present on Diebold Nixdorf ATMs. The driver in question provides access to x86 I/O ports, which is fairly limited in terms of functionality compared to other drivers. Nevertheless, a driver that provides arbitrary access to I/O ports can be useful in the initial phases of an attack, as it could allow the attacker to obtain access to PCI-connected devices, including external devices and the SPI controller, which provides access to the system firmware.

“What ‘PCI access’ means is that software would be able to communicate with PCI devices and as a result use them,” Mickey Shkatov, principal researcher at Eclypsium, told SecurityWeek. “Consider the following flow as an example: software uses the driver to perform I/O operations that translate to legacy PCI access, then the software uses that PCI access to direct a device to perform actions.”

“The Intel SPI controller is such a device that in turn can read/write to the system firmware on the on-board non-volatile memory. By gaining arbitrary access to the I/O ports, an attacker could potentially gain arbitrary PCI access, which in turn could allow the attacker to target data to and from PCI-connected devices,” Shkatov explained.

Advertisement. Scroll to continue reading.

Eclypsium also pointed out that in the case of the driver used by Diebold Nixdorf, it could allow an attacker to install a bootkit on the targeted device as the driver is also leveraged to update the BIOS firmware.

The vulnerability was reported to the vendor, which released patches earlier this year. On the other hand, these types of security flaws can pose a risk for an extended period of time as it typically takes the manufacturers of highly regulated devices much longer to release patches due to compliance requirements. For instance, in this case, Eclypsium says its research was completed in May 2019, but it could not disclose its findings until now.

Moreover, it can take a lot of time for the updates to reach all end devices, which often still run outdated operating systems, such as Windows XP and Windows 7.

Eclypsium believes there are likely many other vulnerable drivers that expose ATMs to attacks and they could be affected by even more serious security holes.

Related: Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks

Related: France Says Breaks Up International ATM ‘Jackpotting’ Network

Related: ATM Maker Diebold Nixdorf Hit by Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.